Description
AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL() validation and accepts requests to private IP ranges and cloud metadata endpoints. Attackers can exploit this by crafting requests to internal services, cloud metadata endpoints like 169.254.169.254, and localhost to retrieve sensitive information including IAM credentials, internal service responses, and network configuration details.
Published: 2026-06-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SSRF flaw in the Live/test.php plugin of AVideo up to version 27.0. The statsURL parameter is not checked by isSSRFSafeURL() and can resolve to any URL, including private IPs and cloud metadata endpoints. An authenticated administrator can therefore read the contents of arbitrary URLs, which may expose IAM credentials, internal service responses, or network configuration data. This allows disclosure of confidential information but does not provide broader system compromise. The weakness is identified as CWE‑918.

Affected Systems

The affected product is AVideo, versions up to 27.0, specifically the Live/test.php plugin when accessed by users with admin privileges. No further vendor versions are listed.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS is not available, but the flaw is not listed in CISA’s KEV catalog, so public exploit availability is unknown. The attack requires legitimate admin credentials and the ability to submit a statsURL value, making the threat most significant in environments where administrators have excessive privileges or where the plugin is exposed to untrusted users. If exploited, attackers can retrieve sensitive internal information, potentially aiding further attacks. The lack of validation to protect private network ranges or cloud metadata services heightens the risk of accidental information disclosure.

Generated by OpenCVE AI on June 20, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AVideo to the latest stable release or apply the vendor‑supplied patch that enforces SSRF protection on the statsURL parameter.
  • Restrict the ability to access the Live/test.php endpoint to trusted administrators only and monitor activity for abnormal requests.
  • Configure network controls (e.g., firewall rules or host‑only routing) to block outbound connections from the web server to private IP ranges and standard cloud metadata endpoints such as 169.254.169.254.
  • If a patch is not yet available, disable the statsURL feature or manually set the isSSRFSafeURL() check in the plugin source code to block untrusted URLs.

Generated by OpenCVE AI on June 20, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 20 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL() validation and accepts requests to private IP ranges and cloud metadata endpoints. Attackers can exploit this by crafting requests to internal services, cloud metadata endpoints like 169.254.169.254, and localhost to retrieve sensitive information including IAM credentials, internal service responses, and network configuration details.
Title AVideo - Server-Side Request Forgery in Live/test.php via statsURL Parameter
First Time appeared Wwbn
Wwbn avideo
Weaknesses CWE-918
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T13:46:06.256Z

Reserved: 2026-06-20T13:13:56.012Z

Link: CVE-2026-56342

cve-icon Vulnrichment

Updated: 2026-06-22T13:46:01.213Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:30:02Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)